Palo Alto Networks Network Security Architect ... Passed

Palo Alto Networks has reworked their certification program to be more "role" based.

You can find all the new certifications here.

So you have a track for each main Palo Alto Networks products portfolio:
- Security Operation oriented with Cortex products

- Cloud Security oriented with Prisma Cloud products

- Network Security oriented with Strata products

I took the NetSec NGFW Engineer and the NetSec Analyst, which were more or less covering the PCNSE (Palo Alto Networks certified Networks Security Engineer) earlier this year.

So I wanted to test the NetSec Architect exam, released last October (announcement here).

... and I got a PASS.

Although during the exam, I was not confident until the last question.

This exam is totally different than the NetSec NGFW Engineer and Analyst, it is more "design" oriented in my opinion. Also, a simple NGFW day to day job would not be enough: an understanding of the big picture of the SASE architecture, and how every product fits into this architecture is required.

For the preparation ... just my day to day work in TAC, which let's me honest lack of Prisma Access / Prisma SDWAN experience. 

Positive point: I attended a workshop on Prisma AIRS - runtime protection, the exam requires the candidate to understand the use case of Prisma AIRS vs AI Access, and it helped me in the exam.

Anyway, if I have to prepare it correctly, I would say you need a correct understanding of the different technologies involved in SASE.

Linkedin "top computer networking voice" badge

This week, I saw I got on my LinkedIn profile the "top computer networking voice" badge.

Is it an achievement?
Actually not really, to get the badge you simply need to answer/comment the automatically generated answers about a question (which is also probably automatically generated).
Of course, you need to answer with relevant answers (to get the comment "liked") but not really rocket science.

Now about this new badge stuff, I was wondering if it was not part of the AI on going trend, Linkedin is part of Microsoft, Microsoft has a partnership with OpenAI (developping ChatGPT) ... and there was this video.

At 0:58, the slide shows the "training pipeline" to get a AI assistant.

So like I wrote earlier, you have automatically generated answers from AI, and you get some human answer, use the how the answers are relevant (based on the number of likes) and use the best answers to improve the train the AI (ChatpGPT).

So the badge is more token for participating in helping the AI to provide better answers than an actual proof of "expertise" as anyone with a LinkedIn ccount could answer.

Anyway, that's always good for my ego.

Use Hostname to deduce running services

Disclaimer : the information in this article have been disclosed to my current company's Patent Committee in December 2023, but they took the decision not to pursue further with it, nor to keep it as Trade Secret, so this idea remains as a simple idea.
Therefore, I will simply disclose it here, I thought it was a good idea, maybe some people can see some interesting use case of it.
Also, as of today, I am not aware of any product / product feature that is using the idea.

So to understand the idea, let's start with some basics.

We talk about 'semantic' when we are talking about the meaning of a word.

In Computing and more specifically in Networking, this goes up to the bit level : 0 / 1 are distinct value, and they have a meaning (is / is no; true / false). So a bit alone may have a meaning, as a set of bits together.

For instance, the flags in the TCP header.

  TCP Header Format

                                    
    0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format

          Note that one tick mark represents one bit position.

                               Figure 3. (from RFC 793)

For instance, the flag SYN when set to 1, mean the segment is the first segment sent by the host, and more important the sequence number in the header is the starting sequence number.

Another illustration of this semantic: the MAC address, and more specifically the first half of it. Those 3 bytes identify a specific vendor.

Last example I want to discuss in this post, is the IP address. You may have heard of the IP addressing, and with it, you may have some rules : for instance, in a network range, the first available address will be the gateway IP address, the 2nd one is for the active gateway (as a device), and the 3rd one is for the passive gateway (again as a device).

Basically:
x.x.x.1 for the default gateway
x.x.x.2 for the active node
x.x.x.3 for the passive node

All the 3 points are examples of semantic in Networking.

Now, there is a feature on PAN-OS which is allowing users to have some policies based on the IP Semantic : IP Wildcard Objects

The wildcard objects will match IPs meeting the wildcard object condition.

The idea I propose is about the hostname. All objects are defined with a hostname (simpler than to remember the IP address of every machine running on the network). Most of the time, the hostmame is defined following a naming convention, so if you can determine the naming convention or at least identify some key portion in the hostname to link to a running service, that can be saved for other purposes.

So by analysing a firewall configuration:
- we can get some mapping of hostname <-> security rules, for instance you have a security rule to allow dns request to the object "fr-dns-1".
- and by doing for a lot of configuration files, you can then get some trends on hostname portion <-> applications. For instance, when you collect 1000 security rules for DNS traffic to different hostnames, it will appear some characters may be common in most of the hostnames (for instance "dns" in a hostname may indicate the server runs DNS server).

So when some trends (hosntame part which are common for most of the security rule for the same application)  are identified for every application, it is then possible to have consumer services which could benefit from it:
- An AI-Copilot for configuration assistance ("Make a security rule to strictly allow only DNS application to the DNS servers")
- configuration audit, making sure that for all the hostnames found in a configuration, only the required applications are allowed.
- intelligence capabilities, if you collect all the A records, the applications running for all records can be returned. 

Lessons learnt from COVID-19

I think this will be one of the major health disaster of the 21th century. It has shows that in our hyperconnected world, it would not be difficult to spread a virus.

No need of a some people (activist or terrorits) to spread it, as shown in the movie "12 Monkeys".

We just need a virus with a long incubation time to allow people with no symptoms to travel before being sick...

Anyway, let's get back to the topic of this post, the lessons learnt from this period.

1 - Appreciate simple things

Being confined at home gives you time to appreciate things you would not noticed in the "pre-COVID" lifestyle.

2 - Keep contacts with relatives, friends, colleagues.

Also, it was not possible to physically meet, you can message/call or do a visio to discuss. It is different, but it is better than being totally in lockdown.

3 - Do not keep in the same location, positive cases and negative cases

Unless you want the positive cases to contamine the negative ones. It is like having zombies in a building with non contaminated people ...if you watched World War Z, you have a lot of times this situation, like that one

Or for IT people, it is like leaving a compromised machine with a worm in the production network waiting all the machines get infected.

4 - Believe in a cure.
Eventually, scientists will find a cure.

Multiple vaccins are going to be released.

More than a contributor on PANCast

Have you heard of Palo Alto Networks' PANCast?

It is a podcast made by TAC engineers (me included) to Palo Alto Networks products users.

Not a sale oriented stuff, really focused on the technology, and how to use 110% capabilities of the products.

The podcast covers all possible topics : from basic troubleshooting tools by TAC to protection of your containers with Azure Container Registry (Prisma Cloud) or discussing the informations you can find in your Cortex XDR logs.

So far, I did an episode on Panorama and its capabilities as logging solution. And we have some episodes pending to be published. I know that because I am scheduling the releases of the episodes :p

So stay tuned.